Introduction
A low privileged user on any Splunk deployment running the Secure Gateway app can achieve full remote code execution on the underlying server, no admin or power role required. The vulnerability, tracked as CVE-2026-20251 with a CVSS score of 8.8, exploits unsafe deserialization of KV Store data through the jsonpickle Python library, and it follows a closely related flaw (CVE-2026-20163) that is already confirmed exploited in the wild and listed in the CISA Known Exploited Vulnerabilities Catalog.
Technical Information
Root Cause: CWE-502 and jsonpickle
CVE-2026-20251 is classified under CWE-502 (Deserialization of Untrusted Data). The CVSSv3.1 vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, which breaks down as follows:
| CVSS Component | Value | Implication |
|---|---|---|
| Attack Vector (AV) | Network | Exploitable remotely over the network |
| Attack Complexity (AC) | Low | No special conditions required |
| Privileges Required (PR) | Low | Any authenticated non admin, non power user |
| User Interaction (UI) | None | No victim action needed |
| Scope (S) | Unchanged | Impact confined to the vulnerable component |
| Confidentiality (C) | High | Full access to all data |
| Integrity (I) | High | Full modification of data |
| Availability (A) | High | Complete denial of service possible |
The Splunk App Key Value Store (KV Store) is a MongoDB backed storage layer that allows Splunk apps to persist and retrieve state data as key value pairs in collections. Apps interact with the KV Store through a REST API, and the data is serialized and deserialized using Python libraries. The Splunk Secure Gateway app uses the jsonpickle library for this serialization and deserialization process.
The jsonpickle library extends standard JSON serialization by preserving Python object types. When jsonpickle.decode() processes data, it can reconstruct complex Python objects, including invoking constructors and the __reduce__ method. The __reduce__ protocol specifies arbitrary callables and arguments to be executed upon deserialization. This is the core mechanism that enables code execution.
Attack Flow
Security research has documented a straightforward exploitation technique for jsonpickle deserialization vulnerabilities. The attack proceeds as follows:
- An attacker defines a malicious Python class that implements the
__reduce__method to return a callable and its arguments, such as(os.system, ('whoami',)). - This crafted object is serialized using jsonpickle, producing a JSON structure that captures the dangerous
__reduce__call. - The payload is typically encoded in Base64 before transmission to the vulnerable endpoint.
- The backend decodes the Base64 data and passes it to
jsonpickle.decode(), which immediately executes the embedded command.
In the context of CVE-2026-20251 specifically:
- An authenticated low privileged user (one who does not hold the admin or power Splunk roles) crafts a malicious JSON payload targeting the KV Store data used by the Splunk Secure Gateway app.
- The payload contains jsonpickle encoded data with a
__reduce__directive specifying an arbitrary system command. - When the Splunk Secure Gateway processes this data through
jsonpickle.decode(), the arbitrary command executes on the Splunk server with the privileges of the Splunk process. - The attacker achieves full RCE on the Splunk server, gaining access to all indexed data, the ability to modify dashboards and alerts, and potential lateral movement within the network.
The Splunk Secure Gateway Attack Surface
The Splunk Secure Gateway is a core app that acts as the backend for the Connected Experiences ecosystem, bridging the Splunk environment (on premises or cloud) and external devices through a cloud based relay infrastructure called Spacebridge. It supports Splunk Mobile, Spacebridge, and Mission Control integrations. The app uses the KV Store for managing device registrations, metadata, and application state.
This reliance on the KV Store creates the intersection point where untrusted data reaches the vulnerable jsonpickle.decode() call. Because the KV Store REST API is accessible to low privileged authenticated users, the attack surface is considerably broader than vulnerabilities requiring admin level access.
Relationship to CVE-2026-20163
A closely related vulnerability, CVE-2026-20163, exploits the same jsonpickle/KV Store deserialization mechanism in Splunk Enterprise and Cloud Platform. That vulnerability required admin level privileges for exploitation, whereas CVE-2026-20251 lowers the privilege threshold to any authenticated non admin, non power user through the Secure Gateway app. CVE-2026-20163 was added to the CISA Known Exploited Vulnerabilities Catalog, confirming active exploitation in the wild. The lower privilege requirement of CVE-2026-20251 makes it a more attractive target for adversaries.
Affected Systems and Versions
The following products and version ranges are affected:
Splunk Enterprise:
- Versions below 10.2.4 (in the 10.2.x branch)
- Versions below 10.0.7 (in the 10.0.x branch)
- Versions below 9.4.12 (in the 9.4.x branch)
- Versions below 9.3.13 (in the 9.3.x branch)
Fixed in: 10.4.0, 10.2.4, 10.0.7, 9.4.12, 9.3.13 and higher within each branch.
Splunk Cloud Platform:
- Versions below 10.3.2512.12
- Versions below 10.2.2510.14
- Versions below 10.1.2507.22
- Versions below 9.3.2411.132
Splunk Secure Gateway (standalone app):
- Versions below 3.10.6 (in the 3.10.x branch)
- Versions below 3.9.20 (in the 3.9.x branch)
- Versions below 3.8.67 (in the 3.8.x branch)
Organizations unable to upgrade immediately can fully mitigate the vulnerability by turning off or completely removing the Splunk Secure Gateway app, though this disables Splunk Mobile, Spacebridge, and Mission Control functionality.
Vendor Security History
Splunk, now a subsidiary of Cisco Systems, has a documented pattern of security advisories in 2026 that is worth noting for context:
| Advisory | Date | Title | Severity |
|---|---|---|---|
| SVD-2026-0601 | 2026-06-10 | RCE through Deserialization in Splunk Secure Gateway | High |
| SVD-2026-0302 | 2026-03-11 | RCE through /splunkd/__upload/indexing/preview REST endpoint | High |
| SVD-2026-0401 | 2026-04-01 | Improper Input Validation during User Account Creation | N/A |
| SVD-2026-0206 | 2026-02-18 | Improper Access Control in Splunk Monitoring Console App | Medium |
The pattern of multiple high severity RCE advisories in a single year, particularly two separate vulnerabilities exploiting the same jsonpickle/KV Store attack surface (CVE-2026-20163 and CVE-2026-20251), indicates a recurring vulnerability class within Splunk's Python based data handling. The advisory source is listed as [email protected], reflecting the integration of Splunk's Product Security Incident Response Team into Cisco's broader PSIRT infrastructure following the acquisition.
CVE-2026-20251 was reported by external security researcher M Mahdan Argya Syarif (0xbeludan), indicating the flaw was discoverable through independent research. This is relevant because it suggests adversaries with similar capabilities may have already identified the same attack surface.
References
- SVD-2026-0601: Splunk Vulnerability Disclosure (Official Advisory)
- CISA Known Exploited Vulnerabilities Catalog
- CVE-2026-20163: Splunk Enterprise RCE Vulnerability (SentinelOne)
- Quantifying 2026 Routinely Targeted Vulnerabilities (VulnCheck)
- Critical Splunk CVE-2026-20163 RCE Vulnerability (Smarttech247)
- CVEs, Same Playbook: 2026 Vulnerability Exploitation in the Wild (Proofpoint)
- Splunk Security Advisories Archive
- Splunk CVEs and Security Vulnerabilities (OpenCVE)
- Splunk Security Advisory AV25-168 (Canadian Centre for Cyber Security)
- About the App Key Value Store (Splunk Documentation)
- About Splunk Secure Gateway (Splunk Documentation)
- Manage App State Using KV Store (Splunk Developer Documentation)
- Remote Code Execution via jsonpickle Deserialization (Sourcery)
- python jsonpickle 2.0.0 Remote Code Execution (Exploit DB)
- Research: Exploiting Jsonpickle to Get RCE (Version 2)
- SVD-2026-0302: Splunk Vulnerability Disclosure



